Assess a package
Trusty collects package intelligence data in a package report. This data is presented on the package details page in the Trusty web interface when you select a package from the search results.
The package details page is divided into four areas:
- Page heading: includes the quick search bar, dark mode toggle, and sign-in / profile menu
- Package overview: basic information about the package
- Package Insights: security, vulnerability, and health information about the package, plus potential alternative packages
- Package Dependencies: lists the packages that the current package depends on
Package overview
The package overview section includes details of the selected package.
- Package ecosystem, name, and description. For packages identified as archived or malicious, a callout banner appears above this section.
- Package details, from left to right:
- Version picker: Select the specific version you're interested in. The last five versions are displayed in the drop-down. To see all versions, select Show complete history in the list.
- Release date: Date when the selected version of the package was released.
- License: If detected, the open source license used by the package. Click to view the license details. To learn more, see License information.
- Package manager: Click to view the package in the source registry (PyPI, npm, etc.).
- Source repository: Click to open the package's source code repository.
- Favorite: Add the package to your personal favorites. If you are not signed in to Trusty, clicking this takes you to the sign-in page first.
Package insights
The package insights tab contains detailed information about the security, risk, and health signals Trusty collects about a package.
- Security signals help you assess the potential risks of using this
package in your project. These include:
- Provenance (proof of origin): Can this package be reliably traced back
to its source repository?
Learn more about the importance of provenance as a measure of a package's risk posture. - Typosquatting: Does this package present a high risk of mistakenly
installing a malicious package?
Learn more about typosquatting in greater detail, and how Trusty ascertains typosquatting risk. - Starjacking: Does this package represent a heightened risk of
exploiting another package's reputation, presenting a false sense of
identity?
Learn more about starjacking attacks and how Trusty identifies potential starjacking attempts.
- Provenance (proof of origin): Can this package be reliably traced back
to its source repository?
- The vulnerabilities section indicates whether the currently selected
version of the package contains any known vulnerabilities, as reported by the
OSV.dev database. Click to view more details and a link to the detailed
report at OSV.dev.
To learn more about how Trusty reports vulnerabilities, see Vulnerabilities. - Activity health measures author contributions and overall repository
activity, aggregated into a score from 0 to 10.
To learn more about these indicators and how Trusty calculates a score, see Activity health. - The Alternative packages section lists packages with similar functionality to the current package. See Find an alternative package.
Package dependencies
The package dependencies tab lists the direct and indirect dependencies of the current package. Click on a row in the table to expand more details about the dependency in a side panel. The side panel shows high-level details of the package, including a link to the package, security signals, activity score, and its dependencies.
To learn more, see Transitive dependencies.